CVEs classified under CWE-267, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (49)
CVE-2023-22647 — CVSS 9.9 (critical): An Improper Privilege Management vulnerability in SUSE Rancher allowed standard users to leverage their existing permissions to manipulate…
CVE-2026-29646 — CVSS 9.8 (critical): In OpenXiangShan NEMU prior to 55295c4, when running with RVH (Hypervisor extension) enabled, a VS-mode guest write to the supervisor…
CVE-2021-44547 — CVSS 9.1 (critical): A sandboxing issue in Odoo Community 15.0 and Odoo Enterprise 15.0 allows authenticated administrators to executed arbitrary code, leading…
CVE-2026-27314 — CVSS 8.8 (high): Privilege escalation in Apache Cassandra 5.0 on an mTLS environment using MutualTlsAuthenticator allows a user with only CREATE permission…
CVE-2025-14349 — CVSS 8.8 (high): Privilege Defined With Unsafe Actions, Missing Authentication for Critical Function vulnerability in Universal Software Inc. FlexCity/Kiosk…
CVE-2026-0945 — CVSS 8.8 (high): Privilege Defined With Unsafe Actions vulnerability in Drupal Role Delegation allows Privilege Escalation.This issue affects Role…
CVE-2026-23526 — CVSS 8.8 (high): CVAT is an open source interactive video and image annotation tool for computer vision. In versions 1.0.0 through 2.54.0, users that have…
CVE-2025-26467 — CVSS 8.8 (high): Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate…
CVE-2025-23015 — CVSS 8.8 (high): Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate…
CVE-2024-55968 — CVSS 8.8 (high): An issue was discovered in DTEX DEC-M (DTEX Forwarder) 6.1.1. The com.dtexsystems.helper service, responsible for handling privileged…
CVE-2024-39866 — CVSS 8.8 (high): A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application allows users to…
CVE-2023-44218 — CVSS 8.8 (high): A flaw within the SonicWall NetExtender Pre-Logon feature enables an unauthorized user to gain access to the host Windows operating system…
CVE-2023-2983 — CVSS 8.8 (high): Privilege Defined With Unsafe Actions in GitHub repository pimcore/pimcore prior to 10.5.23.
CVE-2020-29396 — CVSS 8.8 (high): A sandboxing issue in Odoo Community 11.0 through 13.0 and Odoo Enterprise 11.0 through 13.0, when running with Python 3.6 or later, allows…
CVE-2026-42406 — CVSS 8.7 (high): A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager…
CVE-2023-43746 — CVSS 8.7 (high): When running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions…
CVE-2021-23186 — CVSS 8.7 (high): A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to access…
CVE-2021-23166 — CVSS 8.7 (high): A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read and…
CVE-2025-2903: An attacker with knowledge of creating user accounts during VM deployment on Google Cloud Platform (GCP) using the OS Login feature, can…
CVE-2025-62641 — CVSS 8.2 (high): Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are…
CVE-2025-62590 — CVSS 8.2 (high): Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are…
CVE-2025-62589 — CVSS 8.2 (high): Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are…
CVE-2025-62588 — CVSS 8.2 (high): Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are…
CVE-2025-62587 — CVSS 8.2 (high): Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are…
CVE-2026-2460 — CVSS 8.1 (high): A vulnerability exists in REB500 for an authenticated user with low-level privileges to access and alter the content of directories by…
CVE-2026-2459 — CVSS 8.1 (high): A vulnerability exists in REB500 for an authenticated user with Installer role to access and alter the contents of directories that the…
CVE-2024-7571 — CVSS 7.8 (high): Incorrect permissions in Ivanti Secure Access Client before 22.7R4 allows a local authenticated attacker to escalate their privileges.
CVE-2024-42365 — CVSS 7.4 (high): Asterisk is an open source private branch exchange (PBX) and telephony toolkit. Prior to asterisk versions 18.24.2, 20.9.2, and 21.4.2 and…
CVE-2024-8539 — CVSS 7.1 (high): Improper authorization in Ivanti Secure Access Client before version 22.7R3 allows a local authenticated attacker to modify sensitive…
CVE-2021-44476 — CVSS 6.8 (medium): A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read…
CVE-2024-20411 — CVSS 6.7 (medium): A vulnerability in Cisco NX-OS Software could allow an authenticated, local attacker with privileges to access the Bash shell…
CVE-2019-10170 — CVSS 6.6 (medium): A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw…
CVE-2019-10169 — CVSS 6.6 (medium): A flaw was found in Keycloak’s user-managed access interface, where it would permit a script to be set in the UMA policy. This flaw…
CVE-2025-53900 — CVSS 6.5 (medium): Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, an unfavourable definition of roles and permissions…
CVE-2025-61754 — CVSS 6.5 (medium): Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: Web Service API). Supported versions that are affected are…
CVE-2025-7691 — CVSS 6.5 (medium): A privilege escalation issue has been discovered in GitLab EE affecting all versions from 16.6 prior to 18.2.7, 18.3 prior to 18.3.3, and…
CVE-2025-7030 — CVSS 6.5 (medium): Privilege Defined With Unsafe Actions vulnerability in Drupal Two-factor Authentication (TFA) allows Exploiting Incorrectly Configured…
CVE-2023-27895 — CVSS 6.1 (medium): SAP Authenticator for Android - version 1.3.0, allows the screen to be captured, if an authorized attacker installs a malicious app on the…
CVE-2025-62591 — CVSS 6.0 (medium): Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are…
CVE-2019-14865 — CVSS 5.9 (medium): A flaw was found in the grub2-set-bootflag utility of grub2. A local attacker could run this utility under resource pressure (for example…
CVE-2025-53070 — CVSS 5.5 (medium): Vulnerability in the Oracle Solaris product of Oracle Systems (component: Filesystem). The supported version that is affected is 11. Easily…
CVE-2024-8631 — CVSS 5.5 (medium): A privilege escalation issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.1.7, from 17.2 prior to…
CVE-2025-62289 — CVSS 4.9 (medium): Vulnerability in the Oracle ZFS Storage Appliance Kit product of Oracle Systems (component: Filesystems). The supported version that is…
CVE-2025-62288 — CVSS 4.9 (medium): Vulnerability in the Oracle Health Sciences Data Management Workbench product of Oracle Health Sciences Applications (component: Logger)…
CVE-2025-47811 — CVSS 4.1 (medium): In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or SYSTEM by default…
CVE-2026-6816 — CVSS 3.8 (low): An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery…
CVE-2025-62480 — CVSS 2.7 (low): Vulnerability in the Oracle ZFS Storage Appliance Kit product of Oracle Systems (component: Naming Subsystem). The supported version that…
CVE-2025-62479 — CVSS 2.7 (low): Vulnerability in the Oracle ZFS Storage Appliance Kit product of Oracle Systems (component: Block Storage). The supported version that is…